hxxp://hripts/main/linux[.]shercontent[.]com/Lachine1/xmrig-scripts/main/linux[.]sh

Analysis

max time kernel
0s
max time network
384s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
19/09/2024, 05:59 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://hripts/main/linux.shercontent.com/Lachine1/xmrig-scripts/main/linux.sh

Score

3^/10

discovery

Malware Config

Signatures

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/apparmor/parameters/enabled	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/1574/attr/apparmor/current	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/1574/status	dbus-daemon
File opened for reading	/proc/1569/cmdline	dbus-daemon
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/1590/cmdline	dbus-daemon
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/self/maps	grep

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1568	xdg-open
1659	firefox

/usr/bin/xdg-open
xdg-open http://hripts/main/linux.shercontent.com/Lachine1/xmrig-scripts/main/linux.sh
1⤵
- System Network Configuration Discovery
PID:1568
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:1569
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr
    3⤵
    PID:1570
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1572
- /usr/bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  - Reads runtime system information
  PID:1576
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1575
- /usr/bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  - Reads runtime system information
  PID:1578
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1577
- /usr/bin/grep
  grep -q "^Enlightenment"
  2⤵
  - Reads runtime system information
  PID:1580
- /usr/bin/uname
  uname
  2⤵
  PID:1581
- /usr/bin/grep
  grep -q "^file://"
  2⤵
  - Reads runtime system information
  PID:1583
- /usr/bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1585
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  - Reads runtime system information
  PID:1585
- /usr/bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  - Reads runtime system information
  PID:1588
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/http
  2⤵
  PID:1589
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    - Reads runtime system information
    PID:1590
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr
      4⤵
      PID:1591
- - /usr/bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    - Reads runtime system information
    PID:1593
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1592
- - /usr/bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    - Reads runtime system information
    PID:1595
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1594
- - /usr/bin/grep
    grep -q "^Enlightenment"
    3⤵
    - Reads runtime system information
    PID:1597
- - /usr/bin/uname
    uname
    3⤵
    PID:1598
- - /usr/bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1601
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1606
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1605
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1604
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1603
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1611
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1610
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1609
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1608
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1616
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1615
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1614
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1613
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1621
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1620
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1619
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1618
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1626
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1625
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1624
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    - Reads runtime system information
    PID:1623
- /usr/bin/sed
  sed "s/:/ /g"
  2⤵
  - Reads runtime system information
  PID:1629
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1632
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  - Reads runtime system information
  PID:1635
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1640
- /usr/bin/which
  which firefox
  2⤵
  PID:1641
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1644
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1647
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1655
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1658
- /usr/bin/firefox
  /usr/bin/firefox http://hripts/main/linux.shercontent.com/Lachine1/xmrig-scripts/main/linux.sh
  2⤵
  - System Network Configuration Discovery
  PID:1659

Network

DNS

location.services.mozilla.com

Remote address:

8.8.8.8:53

Request

location.services.mozilla.com

IN A

Response

location.services.mozilla.com

IN CNAME

prod.classify-client.prod.webservices.mozgcp.net

prod.classify-client.prod.webservices.mozgcp.net

IN A

35.190.72.216
DNS

location.services.mozilla.com

Remote address:

8.8.8.8:53

Request

location.services.mozilla.com

IN AAAA

Response

location.services.mozilla.com

IN CNAME

prod.classify-client.prod.webservices.mozgcp.net
DNS

prod.classify-client.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

prod.classify-client.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

r10.o.lencr.org

Remote address:

8.8.8.8:53

Request

r10.o.lencr.org

IN A

Response

r10.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

173.222.211.43

a1887.dscq.akamai.net

IN A

173.222.211.9
DNS

r10.o.lencr.org

Remote address:

8.8.8.8:53

Request

r10.o.lencr.org

IN AAAA

Response

r10.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN AAAA

2a02:26f0:1780:1a::214:c65

a1887.dscq.akamai.net

IN AAAA

2a02:26f0:1780:1a::214:c64
POST

http://r10.o.lencr.org/

Remote address:

173.222.211.43:80

Request

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:115.0) Gecko/20100101 Thunderbird/115.10.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "5D2161D5618CD4B5A52861D36092ED5C6E0D69E9BEC0E388744D56BB3B61F89B"
Last-Modified: Wed, 18 Sep 2024 09:50:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=16855
Expires: Thu, 19 Sep 2024 10:42:49 GMT
Date: Thu, 19 Sep 2024 06:01:54 GMT
Connection: keep-alive
DNS

live.thunderbird.net

Remote address:

8.8.8.8:53

Request

live.thunderbird.net

IN A

Response

live.thunderbird.net

IN A

104.26.3.27

live.thunderbird.net

IN A

104.26.2.27

live.thunderbird.net

IN A

172.67.74.82
DNS

live.thunderbird.net

Remote address:

8.8.8.8:53

Request

live.thunderbird.net

IN AAAA

Response

live.thunderbird.net

IN AAAA

2606:4700:20::681a:21b

live.thunderbird.net

IN AAAA

2606:4700:20::ac43:4a52

live.thunderbird.net

IN AAAA

2606:4700:20::681a:31b
DNS

autoconfig.thunderbird.net

Remote address:

8.8.8.8:53

Request

autoconfig.thunderbird.net

IN A

Response

autoconfig.thunderbird.net

IN A

172.67.74.82

autoconfig.thunderbird.net

IN A

104.26.2.27

autoconfig.thunderbird.net

IN A

104.26.3.27
DNS

autoconfig.thunderbird.net

Remote address:

8.8.8.8:53

Request

autoconfig.thunderbird.net

IN AAAA

Response

autoconfig.thunderbird.net

IN AAAA

2606:4700:20::ac43:4a52

autoconfig.thunderbird.net

IN AAAA

2606:4700:20::681a:31b

autoconfig.thunderbird.net

IN AAAA

2606:4700:20::681a:21b
DNS

support.mozilla.org

Remote address:

8.8.8.8:53

Request

support.mozilla.org

IN A

Response

support.mozilla.org

IN CNAME

prod.sumo.prod.webservices.mozgcp.net

prod.sumo.prod.webservices.mozgcp.net

IN CNAME

us-west1.prod.sumo.prod.webservices.mozgcp.net

us-west1.prod.sumo.prod.webservices.mozgcp.net

IN A

34.149.128.2
DNS

support.mozilla.org

Remote address:

8.8.8.8:53

Request

support.mozilla.org

IN AAAA

Response

support.mozilla.org

IN CNAME

prod.sumo.prod.webservices.mozgcp.net

prod.sumo.prod.webservices.mozgcp.net

IN CNAME

us-west1.prod.sumo.prod.webservices.mozgcp.net
DNS

www.mozilla.org

Remote address:

8.8.8.8:53

Request

www.mozilla.org

IN A

Response

www.mozilla.org

IN CNAME

www.mozorg.moz.works

www.mozorg.moz.works

IN A

143.204.72.186
DNS

www.mozilla.org

Remote address:

8.8.8.8:53

Request

www.mozilla.org

IN AAAA

Response

www.mozilla.org

IN CNAME

www.mozorg.moz.works
DNS

us-west1.prod.sumo.prod.webservices.mozgcp.net

Remote address:

8.8.8.8:53

Request

us-west1.prod.sumo.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

www.mozorg.moz.works

Remote address:

8.8.8.8:53

Request

www.mozorg.moz.works

IN AAAA

Response
DNS

start.thunderbird.net

Remote address:

8.8.8.8:53

Request

start.thunderbird.net

IN A

Response

start.thunderbird.net

IN A

104.26.3.27

start.thunderbird.net

IN A

172.67.74.82

start.thunderbird.net

IN A

104.26.2.27
DNS

start.thunderbird.net

Remote address:

8.8.8.8:53

Request

start.thunderbird.net

IN AAAA

Response

start.thunderbird.net

IN AAAA

2606:4700:20::ac43:4a52

start.thunderbird.net

IN AAAA

2606:4700:20::681a:21b

start.thunderbird.net

IN AAAA

2606:4700:20::681a:31b
DNS

www.mozorg.moz.works

Remote address:

8.8.8.8:53

Request

www.mozorg.moz.works

IN AAAA

Response
DNS

api.snapcraft.io

Remote address:

8.8.8.8:53

Request

api.snapcraft.io

IN A

Response

api.snapcraft.io

IN A

185.125.188.58

api.snapcraft.io

IN A

185.125.188.59

api.snapcraft.io

IN A

185.125.188.55

api.snapcraft.io

IN A

185.125.188.54
DNS

api.snapcraft.io

Remote address:

8.8.8.8:53

Request

api.snapcraft.io

IN AAAA

Response
DNS

api.snapcraft.io

Remote address:

8.8.8.8:53

Request

api.snapcraft.io

IN AAAA

Response

35.190.72.216:443

location.services.mozilla.com

tls

2.1kB
4.9kB
19
17
173.222.211.43:80

http://r10.o.lencr.org/

http

795 B
1.2kB
7
5

HTTP Request

POST http://r10.o.lencr.org/

HTTP Response

200
104.26.3.27:443

live.thunderbird.net

tls

1.9kB
5.1kB
16
12
172.67.74.82:443

autoconfig.thunderbird.net

tls

1.3kB
4.2kB
11
9
104.26.2.27:443

live.thunderbird.net

tls

1.9kB
5.3kB
13
12
104.26.3.27:443

start.thunderbird.net

tls

1.4kB
4.1kB
11
8
143.204.72.186:443

www.mozilla.org

tls

13.0kB
403.1kB
161
310
143.204.72.186:443

www.mozilla.org

100 B
60 B
2
1
143.204.72.186:443

www.mozilla.org

tls

2.2kB
15.3kB
21
22
185.125.188.58:443

api.snapcraft.io

tls

1.3kB
5.4kB
12
9
185.125.188.59:443

api.snapcraft.io

tls

4.7kB
293.3kB
77
217

224.0.0.251:5353

219 B
3
8.8.8.8:53

location.services.mozilla.com

dns

86 B
164 B
1
1

DNS Request

location.services.mozilla.com

DNS Response

35.190.72.216
8.8.8.8:53

location.services.mozilla.com

dns

86 B
238 B
1
1

DNS Request

location.services.mozilla.com
8.8.8.8:53

prod.classify-client.prod.webservices.mozgcp.net

dns

105 B
198 B
1
1

DNS Request

prod.classify-client.prod.webservices.mozgcp.net
8.8.8.8:53

r10.o.lencr.org

dns

72 B
171 B
1
1

DNS Request

r10.o.lencr.org

DNS Response

173.222.211.43

173.222.211.9
8.8.8.8:53

r10.o.lencr.org

dns

72 B
195 B
1
1

DNS Request

r10.o.lencr.org

DNS Response

2a02:26f0:1780:1a::214:c65

2a02:26f0:1780:1a::214:c64
35.190.72.216:443

location.services.mozilla.com

https

1.7kB
4.3kB
5
6
8.8.8.8:53

live.thunderbird.net

dns

77 B
125 B
1
1

DNS Request

live.thunderbird.net

DNS Response

104.26.3.27

104.26.2.27

172.67.74.82
8.8.8.8:53

live.thunderbird.net

dns

77 B
161 B
1
1

DNS Request

live.thunderbird.net

DNS Response

2606:4700:20::681a:21b

2606:4700:20::ac43:4a52

2606:4700:20::681a:31b
104.26.3.27:443

live.thunderbird.net

https

2.0kB
7.2kB
7
12
8.8.8.8:53

autoconfig.thunderbird.net

dns

83 B
131 B
1
1

DNS Request

autoconfig.thunderbird.net

DNS Response

172.67.74.82

104.26.2.27

104.26.3.27
8.8.8.8:53

autoconfig.thunderbird.net

dns

83 B
167 B
1
1

DNS Request

autoconfig.thunderbird.net

DNS Response

2606:4700:20::ac43:4a52

2606:4700:20::681a:31b

2606:4700:20::681a:21b
8.8.8.8:53

support.mozilla.org

dns

76 B
166 B
1
1

DNS Request

support.mozilla.org

DNS Response

34.149.128.2
8.8.8.8:53

support.mozilla.org

dns

76 B
243 B
1
1

DNS Request

support.mozilla.org
8.8.8.8:53

www.mozilla.org

dns

72 B
122 B
1
1

DNS Request

www.mozilla.org

DNS Response

143.204.72.186
8.8.8.8:53

www.mozilla.org

dns

72 B
187 B
1
1

DNS Request

www.mozilla.org
8.8.8.8:53

us-west1.prod.sumo.prod.webservices.mozgcp.net

dns

103 B
196 B
1
1

DNS Request

us-west1.prod.sumo.prod.webservices.mozgcp.net
8.8.8.8:53

www.mozorg.moz.works

dns

77 B
158 B
1
1

DNS Request

www.mozorg.moz.works
172.67.74.82:443

autoconfig.thunderbird.net

https

2.2kB
11.5kB
8
25
104.26.2.27:443

autoconfig.thunderbird.net

https

8.8kB
336.3kB
59
304
8.8.8.8:53

start.thunderbird.net

dns

78 B
126 B
1
1

DNS Request

start.thunderbird.net

DNS Response

104.26.3.27

172.67.74.82

104.26.2.27
8.8.8.8:53

start.thunderbird.net

dns

78 B
162 B
1
1

DNS Request

start.thunderbird.net

DNS Response

2606:4700:20::ac43:4a52

2606:4700:20::681a:21b

2606:4700:20::681a:31b
104.26.3.27:443

start.thunderbird.net

https

2.1kB
11.5kB
7
24
8.8.8.8:53

www.mozorg.moz.works

dns

77 B
158 B
1
1

DNS Request

www.mozorg.moz.works
8.8.8.8:53

api.snapcraft.io

dns

73 B
137 B
1
1

DNS Request

api.snapcraft.io

DNS Response

185.125.188.58

185.125.188.59

185.125.188.55

185.125.188.54
8.8.8.8:53

api.snapcraft.io

dns

73 B
137 B
1
1

DNS Request

api.snapcraft.io
8.8.8.8:53

api.snapcraft.io

dns

73 B
137 B
1
1

DNS Request

api.snapcraft.io

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.dbus/session-bus/f2de92a803c744e586bd87567a26b68a-0

Filesize
465B

MD5
cfb6b36bd9e55392c99441ea0798e5f4

SHA1
d819e181c9d5d8d1e7f40564b6b19cef0202d735

SHA256
5828ef3ca9e72cafdba9490b2f9d9f451ee3105efde4837cdec4bcd16228f39c

SHA512
066fb1f1ffca4791e9b11c98f15b1282cc369c0338d99a1a856dbd0d0c273fdf9e571af0de5bc274e2df0c6f92e8d45badf50b8738d60df9b71671f3226da707

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.